Project

General

Profile

Actions
Copy link

Bug #63751

closed

RGW/IAM-STS: Permission policies are not honored

Added by Oguzhan Ozmen 5 months ago. Updated 2 months ago.

Status:
Won't Fix
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Community (user)
Tags:
rgw iam sts
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v18.2.0
ceph-qa-suite:
Pull request ID:
54826
Crash signature (v1):
Crash signature (v2):

Description

There's 2 related topics/issues here.

rgw admin has no visibility in who owns which roles

  • "role create" doesn’t make use of user id (—uid) info.
  • "role list" gives no visibility to the admin wrt who owns the roles.
  • likewise, when a rest/s3 user/client creates a role, an admin doesn't have visibility wrt owner of the role as "tenant" is not generally used.

policy permissions are not honored

A random s3 user, regardless of whether it's listed in the trust policy or not and regardless of whether such a user has already assumed the trust policy or not, can delete another user's role or take actions (e.g., put policy, delete policy, etc.) on another user's role - which is a critical privacy/security gap.

Raised the s3-test PR that reproduces this problem: https://github.com/ceph/s3-tests/pull/535.

The test test_role_ownership__delete_role_without_permission fails with

FAILED s3tests_boto3/functional/test_sts.py::test_role_ownership__delete_role_without_permission - AssertionError: without acquiring DeleteRole permission, cannot delete other user's role

which shows that a random s3 user can delete some other user's role.

And, the test test_role_ownership__put_or_delete_policy_without_permission fails with

FAILED s3tests_boto3/functional/test_sts.py::test_role_ownership__put_or_delete_policy_without_permission - AssertionError: alt user put the policy although permission is not granted yet

which shows that a random s3 user can put a policy to some other user's role without obtaining PutPolicy permission.

Finally, testcase test_s3_ops shows how powerful the PutPolicy permission is.

Root Cause Analysis

At https://github.com/ceph/ceph/blob/cc1951a5d6d7a11185fc095b6ccd094f3b1273eb/src/rgw/rgw_rest_role.cc#L94, the method RGWRestRole::verify_permission (the default method for actions to verify whether the user has permission for that action), we currently check only user's capability. Instead of returning early, after verifying user has the required capability, we should also check permission policies. Owner of the role would have all the permissions implicitly so the owner of the role (if specified) can skip this check.

As a solution, raised PR https://github.com/ceph/ceph/pull/54826 for further review.

The fix resolves the new testcases added to s3-tests:test_sts.py. Other existing tests pass as well after the fix. There's 2 cases, though, that fail the same way before & after fix.

Actions
Copy link

Also available in: Atom PDF